Criminals are using AI-generated fake copyright violation threats to take over social media and websites - here's what you need to know

News
By published

Machine translation and AI tools fuel global reach for phishing campaigns

Close up of a person touching an email icon.
Image Credit: Pixabay (Image credit: Geralt / Pixabay)
  • Cybercriminals exploit copyright fear to push malware into everyday online spaces
  • Telegram bots now double as command hubs for evolving malware threats
  • Fake legal firms deliver malware through takedown scams in multiple languages

Cybercriminals have long relied on fear as a way to manipulate victims, and copyright claims are proving to be one of the latest tools of choice.

Research by Cofense Intelligence found attackers are sending messages designed to look like legitimate takedown requests to multiple users.

However, the real intention of these messages is to deliver malware under the guise of legal pressure.

A campaign built on deception

The report outlined how a Vietnamese threat actor referred to as Lone None has been distributing campaigns that spoof legal firms, sending messages which claim to flag copyright-infringing content on the target’s website or social media account.

What makes this wave of activity notable is the use of multiple languages, suggesting reliance on machine translation or AI tools to generate convincing templates across regions.

Victims are pressured into following links, which, instead of solving an alleged copyright problem, lead to malware downloads.

The attack chain has several unusual features that distinguish it from more traditional phishing attempts.

Instead of relying on ordinary hosting methods, the operators have embedded payload information within Telegram bot profile pages.

From there, targets are steered toward archive files hosted on free platforms such as Dropbox or MediaFire.

Inside these archives, legitimate applications like PDF readers are bundled alongside malicious files.

The malware loader is disguised to resemble normal Windows processes, and it uses obfuscated Python scripts to establish persistence and fetch additional components.

Beyond the familiar PureLogs Stealer, Cofense reports the presence of a new malware strain named Lone None Stealer, also called PXA Stealer.

This tool is engineered to focus on cryptocurrency theft, quietly replacing copied wallet addresses with those controlled by the attackers.

Communication with the operators is handled through Telegram bots, keeping the infrastructure flexible and harder to disrupt.

Although the current campaigns emphasize information stealing, the methods used could just as easily deliver ransomware in future iterations.

While technical indicators such as unusual Python installations on a host can aid in detection, the most effective shield is still training and vigilance.

A combination of advanced email security tools and endpoint protection offers a strong defense, since filtering alone cannot fully prevent these copyright-spoofing campaigns.

You might also like

Efosa Udinmwen
Efosa Udinmwen
Freelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.